After a security breach that led to the data exposure of millions of their subscribers as well as users of other service providers, OTE and Cosmote are seeking to overturn the €9.25 million fine which was imposed on them by Greece’s Data Protection Authority.
The companies have appealed to the Council of State and, among other things, argue that the fine imposed on them was disproportionate to the confirmed violations.
Greece’s Data Protection Authority has revealed to Solomon that the fine could have reached €130.2 million — 14 times higher.
Millions of people’s data was leaked in 2020
The Data Protection Authority’s decision was published in January 2022 and was in regard to the personal data leakage of more than 10 million users in September 2020.
The DPA’s review was the result of information that it received from Cosmote/ΟΤΕ regarding unknown persons that hacked their system in September 2020, leading to the leak of a file “which contained subscriber call data for the period 1/9/2020 – 5/9/2020.”
The DPA’s 2020 Annual Report states that the leak concerned all of the company’s subscribers, but also several million users of other providers, who chatted with Cosmote network subscribers or had used its network through roaming services.
In total, the leak affected the data of more than 10 million people.
Investigating the leak, the DPA found a series of violations of both Greek laws for the protection of personal data in electronic communications and of the European General Data Protection Regulation (GDPR).
Among the violations is the lack of proper implementation of the anonymisation process, poor data protection impact assessment, as well as vulnerabilities in relation to security measures.
The DPA’s report also revealed four additional breaches of OTE/Cosmote systems that resulted in the loss of a large amount of data.
For these breaches, the DPA notes that “it was not possible to identify the type of data transmitted.”
Cosmote & ΟΤΕ: cancel the fines
OTE Group is the largest telecommunications company in Greece. The main shareholder is Deutsche Telekom, holding 50.9%, while the Greek State holds 7.2%. Cosmote is 100% owned by the OTE group.
In a recent communication with the DPA, Solomon was informed that OTE/Cosmote has appealed to the Council of State, challenging the DPA’s decision. The appeals hearing is pending for May 16, 2023.
After Solomon submitted questions to the telecommunications company, they clarified that “OTE and COSMOTE have paid all the fines imposed on them and have not applied for suspension” in regards to the fines.
However, they have requested that the DPA’s decision be annulled, arguing that the decision:
- is based on incorrect interpretation and application of provisions of the law on the protection of personal data and privacy in the field of electronic communications, of the GDPR as well as the Directive 2002/58/EC of the European Parliament and of the Council on the processing of personal data and the protection of privacy in the field of electronic communications,
- has no proper legal justification,
- violates the principle of proportionality in the fines imposed.
Cosmote and OTE claimed that they took all the necessary measures to deal with the incident, and, “from the first moment, they informed and cooperated with the competent authorities.”
They did not provide information on whether there is any new evidence regarding who breached their system and for what reasons.
During the investigation of the incident, Cosmote had claimed that, according to the protective measures it had taken and based on common experience, it can be said with great certainty that all appropriate measures have been taken so that the leaked material “cannot objectively be re-identified taking into account objective factors such as the costs and time that the re-identification process would require.”
The data, according to the company, was kept to “serve requests from subscribers experiencing problems/errors in the mobile network” and “draw statistical conclusions, which are used for optimal mobile network design.”
Data Protection Authority: The total fine could have been 14 times higher
In some of the violations found by the DPA, regarding improper anonymization, the fine can be as high as 2% “of the total global annual turnover of the previous fiscal year.” Additional violations carried a fine of as much as 4% of the corresponding global turnover.
The DPA found that in 2019, the year before the hack and data leak, the OTE group’s turnover “amounted to €3.258 billion.”
Therefore, the Data Protection Authority clarified to Solomon, for some of the violations “the maximum amount of the fine could have been €130.32 million.” And this, although the fine for the “very serious incident of customers data violation” according to the DPA, is only limited to €150,000 due to the implementation of outdated national legislation.